Active Directory SSO
What it's about
Login with Active Directory accounts using LDAP protocol!
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.
It is included in most Windows Server operating systems as a database and set of processes and services that connect users with the network resources they need to get their work done. Not to be confused with Microsoft Azure Active Directory.
A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.
Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
This data store, also known as the directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts.
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network.
In few words, AD DS authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. AD makes sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allows them to access only the data they’re allowed to use (authorization).
AD DS relies on several established protocols and standards, including LDAP (Lightweight Directory Access Protocol). In brief, LDAP is a directory services protocol and Active Directory is a directory server that uses the LDAP protocol.
LDAP provides, as an open and cross platform protocol used for directory services authentication, the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.
How to set up
To activate the login with Active Directory on XCALLY, you need to:
A. Join XCALLY server to the Active Directory domain
B. Enable Active Directory connection in XCALLY
C. Enable Active Directory login for Administrator, Users and Agents
Join XCALLY server to the Active Directory domain
As requirement of the integration, the XCALLY server must be added in the Active Directory domain.
Follow these steps to configure the XCALLY server:
Use SSH to connect to your XCALLY server
Login with root user
Install required packages for joining to Active Directory (AD) domain
apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekitAfter a successful installation can you proceed to discover Active Directory: the realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain
realm discover <domain name>An Active Directory administrative user account is required for integrating your XCALLY machine with Windows Active Directory domain. Check and confirm Active Directory admin account and the password
realm join -U <user> domain.name
Enable Active Directory connection in XCALLY
To use Active Directory login, you need to add Active Directory settings on XCALLY.
Retrieve Active Directory configuration
Ask to Active Directory Administrator the following properties:
Property | Description |
|---|---|
url | Active Directory server to connect to, e.g. ldap://ad.example.com |
baseDN | The root DN from which all searches will be performed, e.g. dc=example,dc=com. |
domain | Domain of email address, e.g. example.com |
Configure Active Directory in XCALLY
Follow these steps to configure the Active Directory:
Use SSH to connect to your XCALLY server
Stop motion application (with root privileges)
Login with motion user
Open /var/opt/motion2/.env and edit the following properties (add it if not existing)
Initialize environment variables
Enable Active Directory login for Administrator, Users and Agents
The login with Active Directory must be enabled in XCALLY
Enable login in General Settings
The Login with Active Directory must be enabled under Settings → General:
Enable login in Users or Agents settings
For Users or Administrator, the Login with Active Directory must be enabled under Staff → Users:
The same property is available under Staff → Agents for Agents.
For agents, SSO feature is available only for WebRTC Agents (and not for Phonebar Agents)
At this point, the User or Agent will be able to connect if the username on XCALLY, in addition to the domain entered in the settings, is the same as the username in the Active Directory.
Example
In the following example we assume that the domain is http://acme.com and the url to access the active directory is ad.acme.com
In the file /var/opt/motion2/.env, you need to add the following property:
The Agent John Doe with john.doe@acme.com as email address will be able to login using Active Directory, if the agent in XCALLY is configured as shown in the image: